ISO/IEC 27017 and ISO/IEC 27018

ISO/IEC 27017
Information technology – Security techniques – Good practice rule for information security controls based on ISO/IEC 27002 for cloud services

ISO/IEC 27018
Information technology – Security techniques – Rule of good practice for the protection of personal identification information (PII) in a public cloud in which personal identification information (PII) is processed


These standards offer comprehensive guidelines for safety when working in the cloud. The main difference between these two standards is that ISO/IEC 27017 refers to information security controls for cloud services (general), and ISO/IEC 27018 is specifically developed to protect cloud privacy.

Many people in everyday life rely on cloud services for storage space, computer power or even application software. In addition to the benefits that the cloud offers, there are also risks, such as unauthorized access to personal data that can lead to their loss or compromise of integrity. The demands of users for the security of cloud services are therefore particularly high.

The ISO/IEC 27017 standard provides guidelines for information security controls applicable to the provision and use of cloud services with:

  • additional guidance for the implementation of the relevant controls set out in ISO/IEC 27002;
  • additional controls with implementation instructions that relate specifically to cloud services.

This standard provides controls and implementation guidance for both cloud service providers and users.

The ISO/IEC 27018 standard establishes generally accepted control objectives, controls and guidelines for the implementation of personal identification information (PII) protection measures, in accordance with the privacy principles of ISO/IEC 29100 for public cloud computing environments.

In particular, this document sets out guidelines based on ISO/IEC 27002, taking into account regulatory requirements for the protection of PII that may be applicable in public cloud service delivery environments at risk for information security.

This standard is applicable to all types and sizes of organizations, including private and public companies, government departments and non-profit organizations, that provide information processing services through cloud computing contracted with other organizations.

The guidelines of this standard may also be relevant to organizations that control PII. PII controllers may be subject to additional laws, regulations and obligations, which do not apply to PII processors. This standard does not cover such additional obligations.



The certificate according to ISO/IEC 27017 demonstrates to users the security of services in the cloud, while the certificate according to ISO/IEC 27018 ensures secure processing of personal data.

Advantages offered by certification:

  • reduction of security risks;
  • improved competitive advantage;
  • operating in accordance with legal regulations;
  • support for data protection requirements;
  • meeting expectations of clients;
  • strengthening client trust.